How to Create and Manage Strong Passwords

Every so often a high-profile hack or security breach captures the tech community’s attention and, for a while, everyone becomes more diligent about protecting their identities and data. We have short memories, however, and eventually we fall back into our old habits of weak, but easy-to-remember passwords.

Thankfully, we have the tools to stop the cycle; all we need now is the will. Creating and managing secure passwords has never been easier, and the risks of failing to do so have never been higher. It was recently discovered that FileVault 2, Apple’s whole volume encryption technology, can be cracked in just a few hours if it is protected by a weak password.

With a strong password, the kind we’ll show you how to create below, it would take 34 years to break into FileVault. So let’s go over some tips on creating and managing strong, secure passwords.

Minimum Requirements

Before we start digging into password generators and other tricks, let’s briefly go over the basic minimum requirements that every password should have:

Uppercase characters

Lowercase characters

Digits

Symbols

The order in which they appear is not important, but every password should contain at least one of each type of character listed above. When facing a human or a computer that is attempting to break your password, the addition of each type of character significantly increases the difficulty of guessing correctly.

“The Haystack”

Security researcher Steve Gibson popularized the “haystack” concept for password creation and cracking. If you think of the total possible length of your password as a “haystack,” and the specific characters, capitalization, and order of your password as the “needle,” then your goal in creating your password is to make the haystack as large, and your needle as difficult to find, as practicable.

For example, a password of “123456,” which Mr. Gibson claimed is the most common password created by users, would mathematically take 18.5 minutes to break at 1000 guesses per second. No competent hacker would wait 18.5 minutes to try that combination of numbers, however.

Instead of a mathematical approach of starting with 000001 and counting upwards, hackers will put common passwords, like “123456,” or “password” at the top of their list and try those first. Therefore, the haystack in this scenario may be relatively large, but the needle isn’t hidden at all; it’s just resting right on top of the hay for all to see.

The goal, therefore, is to avoid using common words or number sequences, regardless of how long they are. Or, if you want to use common words to help you remember, modify those words so that they are less likely to reside in a hacker’s list of common passwords, as we’ll explain next.

Padding

Padding a password is the act of adding repeating characters to the beginning, end, or both sides of a memorable password. Mr. Gibson’s example is illustrative: which of the two passwords below is more difficult to crack?

D0g…………………

PrXyc.N(n4k77#L!eVdAfp9

Despite our preconceptions about the strength of completely random passwords, from a mathematical perspective the first password, at 24 characters in length, is harder to crack than the second password, which only contains 23 characters. You’ll notice that the first password, even though it’s easier to read than the second, still has all of our “minimum requirements:” uppercase, lowercase, numbers, and symbols.

This concept can be modified to add “padding” to both sides of a common word. As we discussed in our Tips to Avoid Being Hacked article several weeks ago, consider adding different repeating characters to the beginning and end of an easy-to-remember password, such as “aaaaaTMO!!!!!” The “TMO” is easy to remember and we surrounded it with five “a” and “!” characters.

Padding not only increases the size of your “haystack,” it also helps hide “the needle” deeper inside. Aside from extremely common passwords, a hacker or computer has no way of knowing if a subsequent character repeats. It therefore has to run through every possibility, with the result that each additional character significantly increases the time it takes to break the password.

The passwords listed here are for examples only, of course. If everyone simply used a dictionary word and added five period characters to the end of it, hackers would quickly figure that out and adjust their strategy accordingly. Therefore, make sure to use the techniques we’ve discussed to create your own unique combinations that hold specific meaning to only you.

Another example of creating uniquely specific passwords: use your significant other’s first name, with upper and lower case characters, followed by a date that’s special to you, and a random character that repeats the same number of times as the numerical value of the month you met. If your wife was named Holly, you were married on March 15, and you met in June, your password could look like: H0lly0315$$$$$$

A password like the one above is easy to remember, but just as strong as something like AnD3d$!l35zqWv%

Password Management

Now that you’ve figured out how to create memorable but strong passwords, it’s important to remember that you shouldn’t use the same password everywhere. Hackers can obtain your password without having to break it, by hacking your bank or online shopping service, for example. If your password is the same across all of your online accounts, your identity, financial information, and data may all be at risk.

Thankfully, keeping track of multiple passwords is easy. OS X has offered its Keychain application for many years. Built directly into OS X, Keychain allows you to store and recall site or application specific passwords through the use of a single “master” password. Your Keychain can be accessed by going to /Applications/Utilities/Keychain Access.app.

Third party software, such as the excellent 1Password (Mac App Store, US$49.99), expands on the OS X Keychain functionality and allows you to store site and application passwords, software license keys, online and physical membership information, and secure notes all in an encrypted archive that can be synced to and accessed on all of your Macs, iDevices, and even Windows-based computers.

If you don’t want to create memorable passwords but instead want the absolute strongest password, both Keychain and 1Password can generate completely random passwords of enormous length, up to 31 characters for Keychain and 50 characters for 1Password. If you go this route, make sure to keep backups of your password archive and/or print a list of your passwords and store them in a secure location, such as a safe or safety deposit box. If your digital database of passwords was ever lost or became corrupted, you’ll have no way to recall those long, random passwords.

Conclusion

Absolute security can never be guaranteed, but taking the time to set up password management software and change your online passwords to ones that are both secure and memorable will significantly enhance your protection in this digital age.

In the end, the key is making your haystack as large as possible and burying the needle where no human or computer could find it without years, or even centuries, of looking.

Popular TMO Stories

Another way of generating a truly random password is the “Big Box O’ Keys”.

Pick up several used keyboards, the more the better because it lets you have more duplicates. They usually come in beige and black and you’ll want to decide which one is the “Shifted” keyboard. Strip the keys off of the keyboards and pour all the keys into a shoebox. Stir well. Grab a handful of keys and lay them out in a row. If you’ve decide that the black keys are shifted then the black m is M and the black 7 is &.

Poof! You have a random password without spending $50 on 1Password.

Josh5:10 PM EDT, Aug. 23rd, 2012Guest

Bang on about password length, but truly, if your password is long, you don’t benefit by using numbers, symbols, capitals, etc.

Cracking algorithms are going to have to test for numbers, symbols and capital characters whether you use them or not; the algorithm effectiveness is only impacted by your password length.

Is that actually true? I mean is there some source to back this up other than a comic strip? And “correcthorsebatterystaple” would actually take 550 years to work out, no numera1s or $ymbols required??

Wanna jump in here, Jim?

mysterian3:40 PM EDT, Aug. 25th, 2012Guest

A strong psw is pointless if the receiver doesn’t read the whole thing, e.g. Charles Scwab account psw’s are not read past the 8th character.

Using a strong password is good but it doesn’t mean your password is impossible to be cracked. It also depends on the encryption algorithms used by your application. For example, no matter how strong or complex your email password is, as long as your password is remembered by Outlook application, someone can recover your password in seconds with Password Recovery Bundle 2013.